It took three years for Malaysians to find out that their private data had been sold to the highest bidder on the dark web, no thanks to a hacker who got hold of the personal details of 42 million mobile subscribers in what is now dubbed as one of the largest data breaches in the country.
That discovery was made early October this year when a forum user advertised the sale of the data bundle on lowyat.net, with an asking price of 1 bitcoin or roughly RM32,000. Buyers can anonymously purchase the entire list thanks to the bitcoin framework.
Aside from telco customers, the hacked list contained data from the Malaysian Medical Council, Malaysian Medical Association and Malaysian Dental Association.
One do-gooder, tech blogger Keith Rozario, launched a microsite sayakenahack.com where Malaysians could punch in their identification card numbers to find out if their personal data have been compromised.
Despite his white-hat intentions, the Malaysian Communications and Multimedia Commission (MCMC) blocked access to the site.
The police are now investigating the case and telco companies said they would cooperate in investigations. For now, police said they have identified the culprits and while they have not pinpointed the specific event that led to the breach, investigators were narrowing down the possibilities.
Such a long delay, coupled with the mode of discovery, is shocking – but given the limits of regulation and the inexperience of handling cybersecurity problems, this is not at all surprising.
A breach of this proportion serves as warning for what may lie ahead. Hacks will grow more sophisticated and prevalent, and while Malaysians continue to migrate to digital spaces, their data becomes more valuable – and more at risk – than ever.
Companies have legitimate reasons to delay disclosure about a leak, and the law helps preserve their self-interests
Data breaches look bad for a company’s reputation but there is little oversight on how companies handle data privacy. The dos and don’ts are spelled out in the Personal Data Protection Act (PDPA) 2010.
Section 6 or General Principle states that a data user – a person or a company – cannot process personal data without the consent of the data subject – you, the customer.
There are some exceptions to this but customers usually agree to give away data by simply ticking the “I agree to the terms” checkbox.
The devil is indeed in the details, but a data user is not required to report breaches to the authorities or to customers. In the case of the telco breach, Malaysians cannot fault the companies for delaying an announcement if they knew about it all along.
There are legitimate reasons to this. For cybersecurity watchers such as Shawn Tan of boutique computer engineering firm Aeste, a simple disclosure without an action plan is unwise.
“While they may have a duty towards the people whose data they’ve collected, they also have other duties such as to their shareholders and public safety,” said Tan.
“Simply disclosing the fact that the data has been hacked without having any idea of what was done, how it was done, and without any solution, may cause panic and financial damage to the company. So, a reasonable delay is OK.”
The recent data leak involving global credit reporting agency Equifax is an example of what not to do if an incident had occurred.
After discovering the breach in late July this year, high-level executives sold off almost US$2 million of the company’s stocks, weeks before they went public about the hacks, prompting stocks to fall 18%.
To top it off, Equifax tried to make good with customers by offering free credit monitoring and identity theft protection, in return for a waiver of their right to join a class action lawsuit against the company.
But popular blog comment service Disqus chose a different tack. After discovering a security breach, the company issued a statement within 24 hours apologising to users and outlining the possible consequences and even an action plan. Ideally that should be the norm; it's still an exception everywhere, not just in Malaysia.
For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”
Customers need to know if their data have been compromised to protect themselves
If someone ran their identification on sayakenahack.com, and is found compromised, the result reads like this:
The severity of the situation can be explained through the IMSI number, which is unique to a mobile user. In the hands of an experienced hacker, that information can be used to a track or spoof a person.
The hacker then simply combines the data from the leaked list with the credit card data, and automatically that person can buy stuff and charge them to the cardholder.
Since the hacker had used the correct OTP, the issuing bank will claim that authorisation had been given by way of keying in the right password, leaving the cardholder liable, not the merchant or bank in this case.
“Granted this particular vulnerability is a targeted one. So, most of us are safe. However if you are a person of interest such as a politician or senior government official, then you should be extra diligent when communicating over the phone whether using voice or SMS,” added Tan.
For any data breach, the most important factor is timing. Customers need to make changes and set up alerts as quickly as possible to prevent harm. In the case of the telco breach, it goes without saying that data has already fallen into the criminal hands, which makes the case for people to be notified as soon as possible if their data have been hacked.
According to the PDPA Sections 38 and 42, the data subject can request in writing for a company to stop using or storing that person’s data. However companies can reject or comply with reason and if the company has a legal obligation to collect data, they can deny such requests.
Pressing companies to come forward about breaches – and suffer the hit to their reputation – could incentivise people to take security more seriously. Also greater transparency can provide more information to cybersecurity researchers who would use this information to design better solutions in the future.
Logistics aside, the principle behind this is that people have a right to know if their personal data is secure, as our digital identities are extensions of our financial and physical selves.
Even though the PDPA stipulates in Section 8 that companies should handle people’s data with care and not simply disclose them to third parties, the onus is on the customer to prove that there is damage sustained as a result of the breach.
Such an endeavour is difficult to prove as identity theft is hard to establish.
PDPA is thin on its exemption for governments and that might be worrying
According to the PDPA Section 3, the federal government and state governments fall outside the purview of the act. It is also not applicable to personal data process outside Malaysia.
Now, federal and state governments collect a lot of data and depending on a person’s political leanings, just going by this fact may or may not be a cause for alarm. After all, a government that has a decent amount of data can use them to improve the livelihood of its citizens. Or spy on them.
Conspiracy theories aside, the PDPA falls short on stating whether government-linked or government-linked investment companies as well as government-owned companies such as MRT Corp are exempted, too.
One lawyer noted that agencies and statutory bodies established under acts of parliament or state enactments to perform specific public functions – such as Bank Negara Malaysia (BNM), the Employees Provident Fund, the Securities Commission and the Companies Commission of Malaysia – fell within the scope of this exemption.
These are not generally a cause for concern as public institutions do adhere to a strict code when handling personal data.
Still, one could ask the same about political parties on both sides of the divide – since some state governments are led by the opposition – and where do they fit within the PDPA. Big data is trending and it is plausible that a government, be it federal or state, might just allow access to personal data in the name of better voter targeting and campaigning.
As for voting, this is where a more realistic cause of concern is: the vulnerability of the Election Commission website.
The site publishes your full name and constituency based on your identification. According to the browser, the site is labelled insecure simply because it does not have an encrypted connection, meaning whatever information you submit can be viewed by others.
It does not take much to get a website secured: a LetsEncrypt certificate which costs nothing would solve the problem in less than five minutes. To put things in perspective, this blog you are reading is secured and probably costs not even a fraction of the commission’s website maintenance fee.
Again, this lack in security can empower someone to create a fake election commission website, make it look identical and let typical online behaviour do the heavy lifting.
Note: you need to punch in your identification if you want to know your details as a voter, which means if a data breach happened, it would be something similar to the telco incident – hackers getting hold of you, in every sense of the word.
As an aside, a World Bank Group report released this year found a lack of clarity among government agencies about laws governing the release of information. Earlier in May, the group found particular confusion between the Official Secrets Act 1972 and the PDPA.
Malaysians can only do so much to protect their identities. The country needs tighter cybersecurity policies
Consider this: to open a bank account, rent an apartment or even apply for a job, a person has to reveal a lot of personal information.
Khairil Yusof, co-founder of open data activist group Sinar Project, wants Malaysia to use a system which relies less on the identification card.
“Our pervasive use of the IC is a problem and you can’t change IC numbers. While it helps me as a researcher, it also makes it easier for hackers to join data sets. In this, the cat is out of the bag for Malaysia.”
He believes the country should take its cue from India and the US which are debating the use of identification cards and social security numbers, respectively.
While calling for the practice good data hygiene, Tan argues that banks relying on the SMS-based OTP should cease the use of such systems immediately. He suggests switching to time-based one-time passwords.
“Any other online services that rely on SMS to authenticate or authorise should follow suit,” he said.
“Regular companies should also hire an information security consultant to protect the data. The technology already exists to properly store data-at-rest and protect data-in-transit. It’s just that most IT people are not trained to think that way. So, get some help.”
But the best place to start is with the PDPA where the government could amend certain laws to make such data leaks a strict liability. For comparison, the EU has a law going into effect next year requiring companies to notify customers 72 hours after discovering a hack.
Such measures would force companies to get their act together and to treat the data in their possession seriously.
Some activists, such as Khairil, may not fancy national law, citing the arbitrary decisions made by the MCMC as an example. For reasons unknown, the longform blogging platform Medium is still blocked by the commission.
For people like him, the fear is that what is supposedly open data will be marked as an official secret, and that fear – if based on the World Bank report cited above – is justified.
However, big hacks like the telco fiasco put into context just how much control companies have over our personal information.
Companies aren’t incentivised to put customers first, and whether it’s minimising how much information they collect or simply telling the public they have been breached, it is difficult to depend on them in good faith.
It’s up to policymakers and government regulators to keep them in check and to keep our data secure.
Keep us ad-free and independent. The Other is the result of hundreds of hours each month. If you love what you read, visit our Patreon page and consider being a patron with a recurring monthly donation of your choosing. Or email us at firstname.lastname@example.org to explore other funding options.